Spyblog

For a very opinionated blog on all things privacy, see http://www.spy.org.uk/spyblog/

U.K. Data Protection Act 1998: Exemptions

http://www.hmso.gov.uk/acts/acts1998/80029--d.htm#27

Freedom of Information Act 2000 [Exemptions]

http://www.hmso.gov.uk/acts/acts2000/00036--e.htm#21

Data Protection in Greece (Law 2472/1997)

the exemptions of the greek law can be found here Article 5 Conditions for processing.

Data Protection in the Republic of Ireland

While Irish law differs from UK law insofar as the Irish Constitution recognises a right to privacy, there was a need for specific legislative action in the field of privacy rights in relation to information gathering, retention and use. The 1981 Strasbourg Convention was implemented in the form of the Data Protection Act 1988.

In Data Protection Principles Section 2(6) to allow extra safeguards against misuse of confidential data on racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, but no regulations have been made.

Personal data held for direct marketing purposes is obviously subject to these provisions, but the Act goes further by allowing data subjects a right to have such data deleted within 40 days of a request for deletion being made.

However, there are the exemption from the non-disclosure provisions. The principles which regulate non disclosure are relaxed for certain kinds of data by Section 8. Restrictions in the Act do not apply to data.

• certified by a senior member of the police or defence forces as being required to safeguard the security of the state,
• for criminal investigation purposes or taxation or other fiscal purposes.
• protection the International Relations of the State
• required urgently to prevent infury or other damage to a person or serious loss or damage to property
• required by law or court order
• for the purpose of obtaining legal advice or in legal proceedings
• to an agent of the data subject
• made with the consent of the data subject.

The Data Protection Commissioner is charged with enforcing the Act by investigating complaints, sponsoring codes of practice, prosecuting offenders, supervision the registration process, and generally raising awareness and understanding about data protection. The attitude of the Commissioner's office is generally non-confrontational and prosecutions for offeces have not been initiated.

Citation: Clark, Robert (1996) 'Data Protection in the Republic of Ireland', 1 The Journal of Information Law and Technology (JILT). http://elj.warwick.ac.uk/elj/jilt/dp/1eire/

Week 6 reading

1. Bennett on flight passenger data
2. Lloyd Chapter 6 on Information Commissions.
3. Blog the exemptions to national Data Protection requirements - including for the UK the FoI exemptions.
4. Durant case - it's only a small one, but also read the ICO's guidance - also at Lloyd Chapter 5.10-5.15.

Information Commissioner UK 'corporate plan'

This plan is a useful introduction to assesing data law for FoI, data protection and ID cards/government regulation.

Colin Bennett's links page

Here.

Closed Circuit TV and data protection

Survey of new technologies and data protection for the Information Commissioner can be found here.

Home Affairs Select Committee report on ID cards

Is found here - note appendices containing verbal and written evidence.

"'Regulating' Online Data Privacy"

This article may be of interest http://www.law.ed.ac.uk/ahrb/script-ed/issue3/privacy.pdf

Week 5 - three tasks

1. What rights do you have under your national data protection law, to view police records? Use the jurisdiction assigned in class.
2. Scrutinize the 3 key elements in the implementation of data protection law for your jurisdiction (e.g. Ireland, Greece, Denmark, Netherlands, UK, Germany/Australia):
[a] What exemptions exist? Is the law drawn to minimally enforce Directive 95/46/EC or is more protection given?
[b] Have national courts scrutinized or criticized government's use of these exemptions to force greater data protection? If not, read the Osterreichischer Rundfunk judgment in the European Court of Justice.
[c] how active is the Information Commissioner? Read their latest Annual Report - if there is no English version, consult the UK Information Commission report.
3. Further reading is Colin Bennett's analyses of Information Commissions' work - for example, here.

JILT Index on Data Protection

This is up to date to 1998 - useful on 1995 Directive implementation.

Week 5: Denmark, Sweden, Ireland implementations

1996 Issue 1 of JILT - choose one - not all of them.

Week 5 - Implementing EU Directives in national law

Interesting article comparing Germany and Australia by a Yale Australian scholar.

Biometric data in International Athens Airport

Here is a decision of the Greek Data Protection Authority about the use of biometric data in International Athens Airport.

Blogging the Identity Cards Bill

A fellow Fellow of the Oxford Internet Institute is Richard Allan MP - see his comments here.

Privacy updates

Check for US airport screening and the Lennox Lewis defamation at Rob Heverley's UEA blog.

Syllabus revised! LW656

LW656: Data Protection
Background Sources
Week 1: Reading week.
Week 2: Introduction: Defining Data Protection in the Context of Privacy
Lloyd Chapter 3
Week 3: The European Directive 95/46/EC and its Origins
Lloyd Chapter 4
Week 4: UK Identity Cards Bill and UK law
Lloyd Chapter 5
Report and 3rd Reading of the Identity Cards Bill in the House of Commons will be webcast live and we should be able to comment on the Bill and discuss it in our seminar that evening. Week 5: Transposing the 1995 EU Directive
Lloyd Chap 4, pp76-81.
See further Bergfeld (1996) The impact of the EC Data Protection Directive on Dutch Data Protection Law
Report on the implementation as it happened.
Bennet, Colin J, Regulating Privacy: Data Protection and Public Policy in Europe and the United States, Cornell University Press – or Google for ‘colin bennet data protection’ – excellent source.
Week 6: Information Commissions
Lloyd Chapter 6 (background Chapter 7)
In terms of studies on general compliance with Data Protection law in an EU state, see Study of Compliance with the Data Protection Act 1998 by UK Based Websites UMIST/Information Commissioner’s Office. There is a summary at http://www.out-law.com/php/page.php?page_id=ofukwebsites1023451385&area=news . In general the report showed very poor compliance from a sample-picked selection of sites, especially in areas such as security , and also a low level of privacy policies and an even lower level of intelligible ones (5%!). This acted as a trigger for the incoming Information Commissioner, Richard Thomas, to announce that website compliance would be a major enforcement target for his period in office as DP supremo.
Week 7: 2002 Electronic Communications Directive and telecoms data
Lloyd Chapter 8 & Chapter 9 pp214-234
Hosein et al (2004) Questioning lawful access to traffic data
Privacy International (October 2003) Memorandum Of Laws Concerning The Legality Of Data Retention With Regard To
The Rights Guaranteed By The European Convention On Human Rights
Week 8: Safe Harbours and US law
Lloyd Chapter 10
Reindenberg, Joel. R. Resolving Conflicting International Privacy Rules in Cyberspace, 52 Stanford Law Review, 1315 (2000)
Jan Dhont, María Verónica Pérez Asinari, Yves Poullet, Joel R. Reidenberg & Lee Bygrave, Safe Harbor Decision Implementation Study (Apr. 19, 2004)
Week 9: CCTV Case Study and Technologies of Control
Lessig, Code and Other Laws of Cyberspace (New York: Basic Books, 1999), chapter 11; Lessig, “The Law of the Horse: What Cyberlaw might Teach”, Harvard Law Review, 1999, volume 113, pp. 501; "Reading the Constitution in Cyberspace", Emory Law Journal, volume 45, number 3, Summer (1996) pages 869-910
Week 10: Concluding session: International Trade and Data Protection.
Is the EU taking a large risk in not terminating the Safe Harbour? GATS Article XIV(c)(ii) specifically authorizes the European privacy regulations to restrict cross-border services provided that the measures are not used to discriminate between trading partner countries and provided that the measures are not used as a disguised restriction on trade in services. (http://www.wto.org/english/docs_e/legal_e/26-gats_01_e.htm) Internal EU compliance problems are not relevant because the GATS obligation, known as MFN, relates to favoring one non-EU country over another non-EU country. Since the 2004 EC study and the 2001 study each showed important compliance deficiencies, third countries such as Australia have a very strong argument that the EU is impermissibly favoring the US in that the EU appears to be holding third countries to a higher standard of "adequacy." WTO Appellate Body Decision in the EC-Bananas III case specifically said that de facto discrimination was as valid a basis for an MFN claim as de jure discrimination. Even with respect to disguised restrictions, I think the US would have a very difficult case since European data protection agencies do enforce national data privacy laws, even if the level of enforcement is weak. EU would have serious trade issues if EU data protection agencies were to take enforcement actions only against US companies transferring data from Europe. This form of discrimination is an entirely different type of trade problem -- a violation of the GATS national treatment obligation-- that is independent of the Safe Harbour. The issue is differential treatment of companies within Europe based on their nationality rather than differential treatment of destinations.

References to Cases in Privacy

Lord Camden's dicta Entinck v. Carrington (1765) also Douglas J. in Warden v. Hayden
Other references here - Lorrie Cranor's excellent introduction includes a citation from ther Hippocratic Oath.
For Posner on law and economics of privacy, see:
Richard A. Posner, The Right of Privacy, 12 Georgia Law Review. 1392 (1978)
See further:

Warren and Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890)

Westin, Alan F., Privacy and Freedom, New York: Atheneum, 1967.
Lyon, David, The Electronic Eye: the rise of surveillance society. Cambridge: Polity Press, 1994.
Etzioni, Amitai. The Limits of privacy, New York : Basic Books, 1999

All US Supreme Court decisions are here - also see Cornell's LII website.